Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BrettJ
New Contributor

Policy Routing vs Static Routing

Hello!

 

We currently have a Virtual IP setup in our Fortigate 60F and we are setting up Wazuh within our environment. I have been able to get external connections back to Wazuh server however when the devices are on our internal network they can't reach the server. I was hoping to setup routing within the device to overcome this but I have been unsuccessful on getting it to work. Here is a policy route I have:

 
 

policyrouteexample.png

 The blanked-out IP box has the Virtual IP in it. I don't want all traffic to route to this, only when any internal device is trying to get to the Virtual IP.

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor III

You don't need policy routing to implement "hairpin VIP". There are multiple discussions in the past in this forum.
Read below KB by @vdralio and try following it.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

 

Toshi

adimailig
Staff
Staff

Policy route is not a requirement for Hairpin NAT.

Since the connection to Wazuh Server is good from External but not from Internal, I believe you have Source IP restriction on your firewall policy from WAN to SERVER.
Did you tried to add your Private IP Subnet on Source IP?
Also, if you set interface "any" on your Virtual IP configuration, you can try to create firewall policy from LAN to SERVER and put the VIP as destination.

Best Regards,

Arnold Dimailig
TAC Engineer
Labels
Top Kudoed Authors